From: Willeat, Todd (TWilleat@MHP.SMHS.COM)
Date: Mon Apr 05 2004 - 16:20:19 EDT
Hi all,
My Security Administrator wants to log all logins/logouts for our AIX boxes
to a syslog server. I have set the auditing config file as follows:
start:
binmode = off
streammode = on
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
stream:
cmds = /etc/security/audit/streamcmds
classes:
general = USER_Login,USER_Logout,USER_Exit
users:
root = general
twilleat = general
However, when checking the /audit/stream.out file, I get the following entry
every few minutes:
S_PASSWD_READ root root Mon Apr 05 15:10:32 2004 OK
telnetd
S_PASSWD_READ root root Mon Apr 05 15:11:33 2004 OK
telnetd
S_PASSWD_READ root root Mon Apr 05 15:11:33 2004 OK
telnetd
S_PASSWD_READ root root Mon Apr 05 15:12:34 2004 OK
telnetd
S_PASSWD_READ root root Mon Apr 05 15:12:34 2004 OK
telnetd
Apparently this means root is reading the /etc/security/passwd file. But
nobody is logging in during these times (this is a test box). Does anyone
know how to prevent this?
Also, does anyone know if this can be set up for all users without listing
each username individually?
Thanks!
_______________________________________
/ Todd A. Willeat \
| UNIX / Storage Administrator |
| Mercy Health Plans |
| 425 South Woods Mill Road |
_ | Chesterfield, Missouri 63017-3492 | _
/ )| (314) 214-2329 / (314) 214-8202 (fax) |( \
/ / | twilleat@mhp.mercy.net | \ \
_( (_ | http://www.mercyhealthplans.com/ | _) )_
(((\ \> \/->___________<-=-=-=-=->___________<-\/ </ /)))
(\\\\ \_/ / \ \_/ ////)
\ / \ /
\ _/ \_ /
/ / \ \
/___/ \___\
This e-mail contains information which (a) may be PROPRIETARY IN NATURE OR
OTHERWISE PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the
use of the addressee (s) named above. If you are not the addressee, or the
person responsible for delivering this to the addressee (s), you are hereby
notified that reading, copying or distributing this e-mail is prohibited. If
you have received this e-mail in error, please contact the sender
immediately.
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:17:48 EDT